In cryptography, a certification authority (CA) is an entity that issues digital certificates. The digital certificate certify the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or assertions made by the private key that corresponds to the certified public key. In this model of trust relationships, a CA is a trusted third party that is trusted by both the subject (owner) of the certificate and the party relying upon the certificate. CAs are characteristic of many public key infrastructure (PKI) schemes.
A digital certificate includes information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they may use that key to communicate with its owner.
In a typical public-key infrastructure (PKI) scheme, the signer is a certificate authority (CA). In a web of trust scheme, the signer is either the key's owner (a self-signed certificate) or other users (“endorsements”) whom the person examining the certificate might know and trust.
Certificates are an important component of Transport Layer Security (TLS, sometimes called by its older name SSL), where they prevent an attacker from impersonating a secure website or other server. They are also used in other important applications, such as email encryption and code signing.
PKI (Public Key Infrastructure) is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique within each CA domain. The third-party validation authority (VA) may provide this information on behalf of CA. The binding is established through the registration and issuance process, which, depending on the assurance level of the binding, may be carried out by software at a CA or under human supervision. The PKI role that assures this binding is called the registration authority (RA), which ensures that the public key is bound to the individual to which it is assigned in a way that ensures non-repudiation.
While third party CAs offer many security advantages, they suffer from several limitations. Some of these limitations include the fact that they are not based on personal relationships and interaction such as face to face interactions. Historically, personal relationships have been the basis of most webs of trust between humans. Without the ability of establishing a web of trust based on personal relationships, a digital certificate may be distributed to individuals that a distributing agent has never personally met.